e9c6be1d1df7c4402a64910fc5d7fe5e5b5902b5cb3dc0bfaf011d9eb32e5408

Analysis

max time kernel
95s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
07/07/2024, 11:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29f1ed111e52aa0ac14c9daa8c907c6e_JaffaCakes118.exe
Size

5KB
MD5

29f1ed111e52aa0ac14c9daa8c907c6e
SHA1

af053cec2e230f3b205107b484b8ea95ac8544ed
SHA256

e9c6be1d1df7c4402a64910fc5d7fe5e5b5902b5cb3dc0bfaf011d9eb32e5408
SHA512

d00ffff282997635cac63627c11d32a4293aee34466cb088a3dd816e37b7406e0b898de4c798a4b6f943f0312aa6b81cb689f3b5e188b023b6810ec4fe9b7159
SSDEEP

48:ZvtWxUKQZVh7JIzIZ6NceyAVTvEHHAH7dhNAMoBAX:Z1aQZVVq8UNcpA2n47hcK

Score

6^/10

adware stealer

Malware Config

Signatures

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C613CE22-151C-4331-94FF-F113A153F66D}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regedit.exe

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{FDED1F38-3C93-11EF-8BF0-4AA38301372E} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3532177550"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3535022815"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "427144153"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31117472"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3532177550"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31117472"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31117472"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C613CE22-151C-4331-94FF-F113A153F66D}\InProcServer32	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C613CE22-151C-4331-94FF-F113A153F66D}\InProcServer32\ = "error"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C613CE22-151C-4331-94FF-F113A153F66D}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C613CE22-151C-4331-94FF-F113A153F66D}\InProcServer32	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C613CE22-151C-4331-94FF-F113A153F66D}\InProcServer32\ = "c:\\sysdump.dll"	regedit.exe

Runs .reg file with regedit 2 IoCs

pid	Process
2448	regedit.exe
112	regedit.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3300	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3300	iexplore.exe
3300	iexplore.exe
1464	IEXPLORE.EXE
1464	IEXPLORE.EXE
1464	IEXPLORE.EXE
1464	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 2448	4764	29f1ed111e52aa0ac14c9daa8c907c6e_JaffaCakes118.exe	82
PID 4764 wrote to memory of 2448	4764	29f1ed111e52aa0ac14c9daa8c907c6e_JaffaCakes118.exe	82
PID 4764 wrote to memory of 2448	4764	29f1ed111e52aa0ac14c9daa8c907c6e_JaffaCakes118.exe	82
PID 4764 wrote to memory of 3300	4764	29f1ed111e52aa0ac14c9daa8c907c6e_JaffaCakes118.exe	86
PID 4764 wrote to memory of 3300	4764	29f1ed111e52aa0ac14c9daa8c907c6e_JaffaCakes118.exe	86
PID 3300 wrote to memory of 1464	3300	iexplore.exe	87
PID 3300 wrote to memory of 1464	3300	iexplore.exe	87
PID 3300 wrote to memory of 1464	3300	iexplore.exe	87
PID 4764 wrote to memory of 112	4764	29f1ed111e52aa0ac14c9daa8c907c6e_JaffaCakes118.exe	88
PID 4764 wrote to memory of 112	4764	29f1ed111e52aa0ac14c9daa8c907c6e_JaffaCakes118.exe	88
PID 4764 wrote to memory of 112	4764	29f1ed111e52aa0ac14c9daa8c907c6e_JaffaCakes118.exe	88
PID 4764 wrote to memory of 3564	4764	29f1ed111e52aa0ac14c9daa8c907c6e_JaffaCakes118.exe	89
PID 4764 wrote to memory of 3564	4764	29f1ed111e52aa0ac14c9daa8c907c6e_JaffaCakes118.exe	89
PID 4764 wrote to memory of 3564	4764	29f1ed111e52aa0ac14c9daa8c907c6e_JaffaCakes118.exe	89
PID 4764 wrote to memory of 2308	4764	29f1ed111e52aa0ac14c9daa8c907c6e_JaffaCakes118.exe	90
PID 4764 wrote to memory of 2308	4764	29f1ed111e52aa0ac14c9daa8c907c6e_JaffaCakes118.exe	90
PID 4764 wrote to memory of 2308	4764	29f1ed111e52aa0ac14c9daa8c907c6e_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\29f1ed111e52aa0ac14c9daa8c907c6e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\29f1ed111e52aa0ac14c9daa8c907c6e_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Windows\SysWOW64\regedit.exe
  regedit -S c:\temp1.reg
  2⤵
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  - Runs .reg file with regedit
  PID:2448
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" %1
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3300
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3300 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1464
- C:\Windows\SysWOW64\regedit.exe
  regedit -S c:\temp2.reg
  2⤵
  - Modifies registry class
  - Runs .reg file with regedit
  PID:112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\temp2.bat
  2⤵
  PID:3564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\temp1.bat
  2⤵
  PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WCI4PPHE\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
\??\c:\sysdump.dll

Filesize
4KB

MD5
c7bf8cd9e5eb16abb1e77101d9c06440

SHA1
d283df309bbc85c79d52184239a735ee85a830d4

SHA256
4837d1cf1eedf70b42d437f3066839bfe92cbe2dfd30c5d8c140ebf9bb2b7551

SHA512
19c71d0b81b74c31b7de09693aac9250eea0a1bae6b4600ffa870763ec74515725eb34fb411a867a0227ad410d2f3821653c507ebcde3e4efa66ea8e11287113

Download Submit
\??\c:\temp1.bat

Filesize
224B

MD5
d6d984960c6b55555038fb6a366d1fee

SHA1
300f2615f09c6add911401d8f90dd29542fc39d3

SHA256
5e0786140fd6b161ede0b530685efb4d1f588561ad74186bbf2c820bab119a76

SHA512
3893d2f4443cbbe46c03eec4cb5a6c1c9916f2dadd557397e1c7c6478a451407275eb71f43401cf055caf216bded8731ce2c774f1054ae251ccf9ebabec9db32

Download Submit
\??\c:\temp1.reg

Filesize
435B

MD5
492eb2c8ff983e87c95ca5a704c6f5b8

SHA1
8677a4e0d606a526b1c90f180116dea7a6bcb0de

SHA256
9f0388e16d77a4560acfe712ab8a8c6a171c5d369c4134cd3af9bec658bbd431

SHA512
ded2c5fa380fcfaa346dcb33a0775cc476ee7f152b0b54ed34b3e97958e200f1f9f01ed546adc2241d2462cfaf39e9e273eaba04cb2efcfbf7085ba9251acd6e

Download Submit
\??\c:\temp2.bat

Filesize
84B

MD5
b9975d30ddbd098a754312e16f744ec6

SHA1
9d41e8816bf8f8aa48356c99af46e64947a0d2ef

SHA256
6e4f3dd8bf9469f50bd04878da2bb005a9df85192a5c7428b4477cecbfd4747c

SHA512
5bdca7782ebe7a2d919c7c096d0b2e9927c68044a5ca802ce7a43e6d4d62fda7b5d7620a1154e640c9946def1b13539a948a58bf13697f897748dc66e3406c02

Download Submit
\??\c:\temp2.reg

Filesize
128B

MD5
6fdc273e79d8888a813c762aa55edc39

SHA1
a3e72c4eaf143697e3c1a29c8b1c223c121e1d58

SHA256
e0eb2406ae229d4df0d3ff5bb8f9bd907aa947b51fdbb6bed1a3238852849f6c

SHA512
370125ded5b43b67cfc8f28363086fc9b2c85c6fe53ab1e5e00281cf87292650b2abe7bf9420631ca405f4c7e213bed00c53432329cc5f7d6d1f615a02a1f253

Download Submit
memory/4764-0-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/4764-10-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads